{"id":284,"date":"2010-03-24T15:24:29","date_gmt":"2010-03-24T20:24:29","guid":{"rendered":"http:\/\/zitstif.no-ip.org\/?p=284"},"modified":"2010-03-24T15:30:27","modified_gmt":"2010-03-24T20:30:27","slug":"netgear-rp614v4-exploit","status":"publish","type":"post","link":"http:\/\/zitstif.no-ip.org\/?p=284","title":{"rendered":"Netgear RP614v4 exploit"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone\" title=\"http:\/\/www.netgear.com.cn\/support\/images\/rp614v4.gif\" src=\"http:\/\/www.netgear.com.cn\/support\/images\/rp614v4.gif\" alt=\"rp614v4\" width=\"233\" height=\"86\" \/><\/p>\n<p><strong>Website\/Company:<\/strong> http:\/\/zitstif.no-ip.org<br \/>\n<strong>E-mail:<\/strong> zitstif[at]gmail.com<strong><\/strong><\/p>\n<p><strong>Name:<\/strong> Kyle Young<br \/>\n<strong><br \/>\nDevice:<\/strong> Netgear RP614v4<br \/>\n<strong>Firmware version:<\/strong> v1.1.2_09.01<br \/>\n<strong>Firmware release date:<\/strong> November 2009<br \/>\n<strong>HTTP service:<\/strong> Boa HTTPd 0.93.15<br \/>\n<strong>Exploit release date:<\/strong> Wednesday March 24, 2010<\/p>\n<p><strong>Default router credentials:<\/strong><br \/>\nusername: admin<br \/>\npassword: password<\/p>\n<p><strong>Scope:<\/strong> Local\/Remote<\/p>\n<p><strong>Vulnerability:<\/strong><\/p>\n<p>The Netgear RP614v4 is susceptible to an end user making a request for the netgear.cfg file which is located at:<\/p>\n<p>http:\/\/[RouterIP]\/vgn\/jsp\/netgear.cfg<\/p>\n<p>This file, is a plain text ASCII file that contains the router&#8217;s password at line 216, which looks similar to this:<\/p>\n<p>http_passwd=myvulnerablepassword<\/p>\n<p><strong>You don&#8217;t have to authenticate to obtain this file at all.<\/strong><\/p>\n<p>The qualm with this exploit is that, it works in the LAN that the router is on, or even remotely over a WAN, that is if the remote administration<br \/>\noption is enabled and the default port for this is 8080.<\/p>\n<p><strong>PoC:<\/strong> <a title=\"http:\/\/zitstif.no-ip.org\/rp614v4\/rp614v4exploit.txt\" href=\"http:\/\/zitstif.no-ip.org\/rp614v4\/rp614v4exploit.txt\" target=\"_blank\">http:\/\/zitstif.no-ip.org\/rp614v4\/rp614v4exploit.txt<\/a><\/p>\n<p><strong>Additional notes:<\/strong><\/p>\n<p>After discovering this vulnerability, I&#8217;ve noticed with other routers that have http based administration, is that you can make requests for config files without authenticating. However, this does not always work and at times the config file is obfuscated.<\/p>\n<p>From my experience, most of the config files for routers are in a binary format and can be viewed with a program like &#8216;<strong>bvi<\/strong>&#8216;<strong>. <\/strong>At times, you can view credentials to the device and also PPPoE credentials.<\/p>\n<p>I&#8217;m reporting this vulnerability to securityfocus.com, due to the lack of support on Netgear&#8217;s end.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Website\/Company: http:\/\/zitstif.no-ip.org E-mail: zitstif[at]gmail.com Name: Kyle Young Device: Netgear RP614v4 Firmware version: v1.1.2_09.01 Firmware release date: November 2009 HTTP service: Boa HTTPd 0.93.15 Exploit release date: Wednesday March 24, 2010 Default router credentials: username: admin password: password Scope: Local\/Remote Vulnerability: The Netgear RP614v4 is susceptible to an end user making a request for the netgear.cfg &hellip; <a href=\"http:\/\/zitstif.no-ip.org\/?p=284\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">Netgear RP614v4 exploit<\/span> <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,106,3],"tags":[920,110,111,108,112,109,107],"class_list":["post-284","post","type-post","status-publish","format-standard","hentry","category-code","category-exploits","category-posts","tag-exploits","tag-netgear","tag-netgear-rp614v4-exploit","tag-router-exploit","tag-rp614v4","tag-rp614v4-exploit","tag-securityfocus"],"_links":{"self":[{"href":"http:\/\/zitstif.no-ip.org\/index.php?rest_route=\/wp\/v2\/posts\/284","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/zitstif.no-ip.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/zitstif.no-ip.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/zitstif.no-ip.org\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/zitstif.no-ip.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=284"}],"version-history":[{"count":4,"href":"http:\/\/zitstif.no-ip.org\/index.php?rest_route=\/wp\/v2\/posts\/284\/revisions"}],"predecessor-version":[{"id":287,"href":"http:\/\/zitstif.no-ip.org\/index.php?rest_route=\/wp\/v2\/posts\/284\/revisions\/287"}],"wp:attachment":[{"href":"http:\/\/zitstif.no-ip.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=284"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/zitstif.no-ip.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=284"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/zitstif.no-ip.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=284"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}